Collection of sites with dumb password rules

Originally published at:


BRB, gotta go change my LinkedIn profile to declare myself a fluent typer of Hacking Characters.

1 Like

I hate the ones that don’t allow spaces, but their error message is that it has to be longer. (Frequently they’re ones that also mandate a number and punctuation character – but no spaces.)


Some of the complaints I agree with - 4 digit PINs and too-short maximum password lengths in particular always annoy me. But some of the rules they’re complaining about seem like good ones to me, designed to keep people from using shitty passwords. I’m having a hard time finding anything particularly objectionable about password rules like the ones in the picture attached to the article.

“Pas$w0rd” isn’t any better than “password”.


As a software dev at large company, I have ~8 passwords for different servers, laptops, applications, 3rd party institutions, etc.

They are required to be unique, they are required to have the whole “capital letter, number, symbol, and whatnot (although some won’t take certain symbols)” and I am required to change them every few months.

There is no way I’d be able to remember all of them so I have a handy index card in my wallet. It doesn’t have the actual passwords, but just a reminder. So if my password is J33p…&&, my card would have “car…andand”.


That is literally what password managers are for. I have one, long and hard password to remember and then it remembers all the rest for me. And if the password manager doesn’t integrate to fill it in for me, it still has the ability to show me my list of accounts/passwords once I’m logged into it.


Military based sites are the worst. One of the rules is always “no more than 3 consecutive letters that can be found in the dictionary.” so dic, tio, nar would all be disallowed. Its SUPER frustrating.


Would they? They aren’t more than three.

1 Like

File this along with sites that won’t accept email addresses with top level domain names created in the last 10 years. My wife’s .space address? Routinely rejected.


Yeah, there are so many sites sucking at passwords. If you’re doing it right there is no technical reason for having a maximum length and allowing some special characters but not others. So often I’ll copy and paste a long, random, secure password but it’ll be rejected for no discernible reason.


Rephrase. 3 or more.

So any 3 consecutive letters that are or part of a word are disallowed.

“Don’t point that thing at me!”
“Fry who?”

Don’t know where this came from originally but:


That is really crazy. It almost seems like there would be fewer three letter combinations that AREN’T in the dictionary. If you know that rule, it might actually be easier to guess those passwords.


Finally I realized that my password was being truncated by the password input field itself.

this reminds me - several years ago my girlfriend and I were in Rome and her ATM card wouldnt work. we were going insane. our poor Italian didn’t help when we tried to call customer service or talk to the bank who owned the ATM. In the end it turned out that she had chosen a 6 digit PIN for her bank accout (bank of America I think) and that worked everywhere else she had used an ATM. but not in Rome at this one. After much hair pulling and and a near breakdown, it turned out the answer was to leave off the last two digits of her PIN. it worked with only a partial PIN!?!?


I presume it is to prevent people using things like YES or AXE. So they must have a script that simply looks against a dictionary of items but they didn’t make it “smart” enough to differentiate between “AXE” as a stand alone word or “anSWEr”.


I’ve actually used password complexity rules to reduce the attack space for password cracking. As long as you know where the hashes come from, and what their policy is, you can really cut down on the number of guesses required by excluding anything that doesn’t match the policy.


With hundreds of passwords and rules that require changing them all at different intervals, I’ve depended on a password manager named Password Safe for years. I do recommend it. It’s free and open source, but it’s also a desktop thing and I don’t use a phone or tablet-based password manager.

1 Like